| Mark Horvath | 008ecb7 | 2020-09-10 12:35:05 +0200 | [diff] [blame] | 1 | ############################################## |
| 2 | Secure Enclave solution for Trusted Firmware-M |
| 3 | ############################################## |
| 4 | |
| 5 | :Author: Mark Horvath |
| 6 | :Organization: Arm Limited |
| 7 | :Contact: Mark Horvath <mark.horvath@arm.com> |
| Mark Horvath | 008ecb7 | 2020-09-10 12:35:05 +0200 | [diff] [blame] | 8 | |
| 9 | ******** |
| 10 | Abstract |
| 11 | ******** |
| 12 | |
| 13 | This document summarizes the design goals and one possible implementation |
| 14 | of the TF-M Secure Enclave solution. |
| 15 | |
| 16 | ************ |
| 17 | Introduction |
| 18 | ************ |
| 19 | |
| 20 | If a separate subsystem can provide the PSA Root of Trust (RoT) in a system |
| 21 | then an additional physical separation exists between the most trusted and |
| 22 | other domains. In such a system at least two subsystems are present, a Secure |
| 23 | Enclave (SE) whose only task is to provide PSA RoT and an application core |
| 24 | where any other application specific functionality can be placed. The latter |
| 25 | core (or cores) are referred as *Host* in this document. |
| 26 | |
| 27 | The current design assumes that Host is a v8-m core with security extension. |
| 28 | |
| 29 | ************ |
| 30 | Requirements |
| 31 | ************ |
| 32 | |
| 33 | - Secure Enclave shall implement secure boot-flow (start-up first at reset and |
| 34 | validate its own and the Host image or images before release Host from reset) |
| 35 | - Secure Enclave shall provide the PSA RoT services |
| 36 | - Host shall provide not just the non-secure context but the Application RoT as |
| 37 | well |
| 38 | - It shall be transparent to the (secure or non-secure) applications running on |
| 39 | host whether the RoT services are provided by the same subsystem or by a |
| 40 | Secure Enclave. |
| 41 | |
| 42 | .. Note:: |
| 43 | |
| 44 | In comparison, in a Dual Core system the whole secure context is placed on a |
| 45 | separate subsystem, while a Secure Enclave only implements the PSA RoT |
| 46 | security domain. |
| 47 | |
| 48 | *************** |
| 49 | Proposed design |
| 50 | *************** |
| 51 | |
| 52 | As the clients and the services are running on different cores only the IPC |
| 53 | model can be used on both Secure Enclave and Host. |
| 54 | |
| 55 | Secure Enclave |
| 56 | ============== |
| 57 | |
| 58 | To provide the required functionality it is enough to run the current PSA RoT |
| 59 | secure partitions on the Secure Enclave, so no need for non-secure context |
| 60 | there. (It is enough if the Secure Enclave's architecture is v6-m, v7-m or v8-m |
| 61 | without the security extension.) |
| 62 | |
| 63 | Secure Enclave can treat all clients running on Host as non-secure (even the |
| 64 | services running on Host's secure side). This means that fom Secure Enclave's |
| 65 | point of view all Host images, Host's RAM and shared memory between Host and |
| 66 | Secure Enclave if present are treated as non-secure. (Just like in the Dual CPU |
| 67 | solution.) But the clients need to be distinguished, otherwise some |
| 68 | functionalities are not working, for example: |
| 69 | - Protected Storage partition shall run on Host, but the PS area is handled by |
| 70 | Internal Trusted Storage partition (running on Secure Enclave). ITS partition |
| 71 | decides whether it should work on PS or ITS assets by checking the client ID. |
| 72 | - If a secure partition on host creates a crypto key, no other client shall be |
| 73 | able to destroy it. |
| 74 | |
| 75 | Communication |
| 76 | ============= |
| 77 | |
| 78 | To communicate between Host and Secure Enclave, the existing mailbox solution |
| 79 | can be reused as it is. |
| 80 | |
| 81 | Host |
| 82 | ==== |
| 83 | |
| 84 | On Host the current TF-M software architecture can be placed to provide |
| 85 | non-secure context and Application RoT domain. |
| 86 | |
| 87 | One solution to forward a PSA RoT IPC message from a client running on Host to |
| 88 | the Secure Enclave is to add a proxy partition to the secure side. This PSA |
| 89 | Proxy partition can provide all the RoT services to the system by forwarding |
| 90 | the messages over the mailbox solution. |
| 91 | |
| 92 | If the new partition's manifest contains all the PSA RoT service IDs SPM will |
| 93 | deliver all IPC messages there. Then the messages just must be blindly copied |
| 94 | into the mailbox. PSA proxy can use the non-secure interface of the mailbox, |
| 95 | but it is placed on the secure side of Host. (From SE's point of view this is |
| 96 | in fact the non-secure side of the mailbox as whole Host is treated as |
| 97 | non-secure.) |
| 98 | |
| 99 | It is important to verify IOVECs before forwarding them to SE, otherwise a |
| 100 | malicous actor could use SE to access a memory area otherwise unaccessable. If |
| 101 | PSA proxy uses the current secure partition interface then this is ensured by |
| 102 | Host's SPM. |
| 103 | |
| 104 | SE treats all clients of Host as non-secure, so all PSA messages shall have a |
| 105 | negative client ID when pushed into SE's SPM. This is given for the clients on |
| 106 | the non-secure side of Host, but the secure side clients of Host have positive |
| 107 | client IDs. The straightforward solution is to translate the positive client |
| 108 | IDs into a predefined negative range in PSA proxy, and push the translated |
| 109 | values into the mailbox. Of course this range shall be reserved for this use |
| 110 | only and no clients on non-secure side of Host shall have client ID from this |
| 111 | range. |
| 112 | |
| 113 | To avoid blocking Host when a message is sent PSA Proxy shall handle the |
| 114 | service requests in non-blocking mode. And to maximize bandwidth PSA Proxy |
| 115 | shall be able to push new messages into the mailbox, while others still not |
| 116 | answered. To achieve these the mailbox interrupts needs to be handled in the |
| 117 | PSA Proxy partition. |
| 118 | |
| 119 | -------------- |
| 120 | |
| 121 | *Copyright (c) 2020, Arm Limited. All rights reserved.* |